Expressing Privacy Preferences in terms of Invasiveness

Dynamic context aware systems need highly flexible privacy protection mechanisms. We describe an extension to an existing RBAC-based mechanism that utilises a dynamic measure of invasiveness to determine whether contextual information should be released

Security, Privacy and Safety Risk Assessment for Virtual Reality Learning Environment Applications

Social Virtual Reality based Learning Environments (VRLEs) such as vSocial render instructional content in a three-dimensional immersive computer experience for training youth with learning impediments. There are limited prior works that explored attack vulnerability in VR technology, and hence there is a need for systematic frameworks to quantify risks corresponding to security, privacy, and safety (SPS) threats. The SPS threats can adversely impact the educational user experience and hinder delivery of VRLE content. In this paper, we propose a novel risk assessment framework that utilizes attack trees to calculate a risk score for varied VRLE threats with rate and duration of threats as inputs. We compare the impact of a well-constructed attack tree with an adhoc attack tree to study the trade-offs between overheads in managing attack trees, and the cost of risk mitigation when vulnerabilities are identified. We use a vSocial VRLE testbed in a case study to showcase the effectiveness of our framework and demonstrate how a suitable attack tree formalism can result in a more safer, privacy-preserving and secure VRLE system.Comment: Tp appear in the CCNC 2019 Conferenc

On the inability of existing security models to cope with data mobility in dynamic organizations

Modeling tools play an important role in identifying threats in traditional\ud IT systems, where the physical infrastructure and roles are assumed\ud to be static. In dynamic organizations, the mobility of data outside the\ud organizational perimeter causes an increased level of threats such as the\ud loss of confidential data and the loss of reputation. We show that current\ud modeling tools are not powerful enough to help the designer identify the\ud emerging threats due to mobility of data and change of roles, because they\ud do not include the mobility of IT systems nor the organizational dynamics\ud in the security model. Researchers have proposed security models that\ud particularly focus on data mobility and the dynamics of modern organizations,\ud such as frequent role changes of a person. We show that none\ud of the current security models simultaneously considers the data mobility\ud and organizational dynamics to a satisfactory extent. As a result, none\ud of the current security models effectively identifies the potential security\ud threats caused by data mobility in a dynamic organization